---
title: Multisig Authentication
description: Guide on how to create a multisig transaction and then submit it against a local network using the Sui CLI.
---

The following steps demonstrate how to create a multisig transaction and then submit it against a local network using the [Sui CLI](/references/cli.mdx). A transaction can be the transfer of an object, the publish or upgrade of a package, the payment of SUI, and so on. To learn how to set up a local network, see [Connect to a Local Network](/guides/developer/getting-started/local-network.mdx). 

To learn more about how to create multisig addresses and create multisig transactions using the TypeScript SDK, see the [SDK documentation](https://sdk.mystenlabs.com/typescript/cryptography/multisig) for details. 

## Step 1: Create keys

Use the following command to generate a Sui address and key for each supported key scheme and add it to the `sui.keystore`, then list the keys.

Use `sui client` to create Sui addresses of different key schemes.

```shell
sui client new-address ed25519
sui client new-address secp256k1
sui client new-address secp256r1
```

## Step 2: Add keys to Sui keystore

Use `sui keytool` to list the signatures you created in the previous step.

```shell
sui keytool list
```

The response resembles the following, but displays actual addresses, keys, and peer IDs:

```shell
╭────────────────────────────────────────────────────────────────────────────────────────────╮
│ ╭─────────────────┬──────────────────────────────────────────────────────────────────────╮ │
│ │ suiAddress      │  <SUI-ADDRESS>                                                       │ │
│ │ publicBase64Key │  <PUBLIC-KEY>                                                        │ │
│ │ keyScheme       │  ed25519                                                             │ │
│ │ flag            │  0                                                                   │ │
│ │ peerId          │  <PEER-ID>                                                           │ │
│ ╰─────────────────┴──────────────────────────────────────────────────────────────────────╯ │
│ ╭─────────────────┬──────────────────────────────────────────────────────────────────────╮ │
│ │ suiAddress      │  <SUI-ADDRESS>                                                       │ │
│ │ publicBase64Key │  <PUBLIC-KEY>                                                        │ │
│ │ keyScheme       │  secp256k1                                                           │ │
│ │ flag            │  0                                                                   │ │
│ │ peerId          │  <PEER-ID>                                                           │ │
│ ╰─────────────────┴──────────────────────────────────────────────────────────────────────╯ │
│ ╭─────────────────┬──────────────────────────────────────────────────────────────────────╮ │
│ │ suiAddress      │  <SUI-ADDRESS>                                                       │ │
│ │ publicBase64Key │  <PUBLIC-KEY>                                                        │ │
│ │ keyScheme       │  secp256r1                                                           │ │
│ │ flag            │  0                                                                   │ │
│ │ peerId          │  <PEER-ID>                                                           │ │
│ ╰─────────────────┴──────────────────────────────────────────────────────────────────────╯ │
╰────────────────────────────────────────────────────────────────────────────────────────────╯
```

## Step 3: Create a multisig address

To create a multisig address, input a list of public keys to use for the multisig address and a list of their corresponding weights and the threshold (replacing `<VARIABLES>` with actual values). 

```shell
sui keytool multi-sig-address --pks <PUBLIC-KEY-ED25519> <PUBLIC-KEY-SECPK1> <PUBLIC-KEY-SECP256R1> --weights 1 2 3 --threshold 3
```

The response resembles the following:

```
╭─────────────────┬────────────────────────────────────────────────────────────────────────────────────╮
│ multisigAddress │  <MULTISIG-ADDRESS>                                                                │
│ multisig        │ ╭────────────────────────────────────────────────────────────────────────────────╮ │
│                 │ │ ╭─────────────────┬──────────────────────────────────────────────────────────╮ │ │
│                 │ │ │ address         │  <SUI-ADDRESS>                                           │ │ │
│                 │ │ │ publicBase64Key │  <PUBLIC-KEY>                                            │ │ │
│                 │ │ │ weight          │  1                                                       │ │ │
│                 │ │ ╰─────────────────┴──────────────────────────────────────────────────────────╯ │ │
│                 │ │ ╭─────────────────┬──────────────────────────────────────────────────────────╮ │ │
│                 │ │ │ address         │  <SUI-ADDRESS>                                           │ │ │
│                 │ │ │ publicBase64Key │  <PUBLIC-KEY>                                            │ │ │
│                 │ │ │ weight          │  2                                                       │ │ │
│                 │ │ ╰─────────────────┴──────────────────────────────────────────────────────────╯ │ │
│                 │ │ ╭─────────────────┬──────────────────────────────────────────────────────────╮ │ │
│                 │ │ │ address         │  <SUI-ADDRESS>                                           │ │ │
│                 │ │ │ publicBase64Key │  <PUBLIC-KEY>                                            │ │ │
│                 │ │ │ weight          │  3                                                       │ │ │
│                 │ │ ╰─────────────────┴──────────────────────────────────────────────────────────╯ │ │
│                 │ ╰────────────────────────────────────────────────────────────────────────────────╯ │
╰─────────────────┴────────────────────────────────────────────────────────────────────────────────────╯
```

## Step 4: Send objects to a multisig address

This example requests gas from a local network using the default URL following the guidance in [Connect to a Local Network](/guides/developer/getting-started/local-network.mdx). If following along, be sure to replace `<MULTISIG-ADDR>` with the address you receive in the previous step.

```shell
curl --location --request POST 'http://127.0.0.1:9123/gas' --header 'Content-Type: application/json' --data-raw "{ \"FixedAmountRequest\": { \"recipient\": \"<MULTISIG-ADDR>\" } }"
```

The response resembles the following:

```
{"transferred_gas_objects":[{"amount":200000,"id":"<OBJECT-ID>", ...}]}
```

## Step 5: Serialize any transaction

This section demonstrates how to use an object that belongs to a multisig address and serialize a transfer to be signed. The `tx_bytes` value can be any serialized transaction data where the sender is the multisig address. Use the `--serialize-unsigned-transaction` flag for supported commands in `sui client -h` (`publish`, `upgrade`, `call`, `transfer`, `transfer-sui`, `pay`, `pay-all-sui`, `pay-sui`, `split`, `merge-coin`) to output the Base64 encoded transaction bytes.

{@include: ../../../snippets/info-gas-budget.mdx}

```shell
sui client transfer --to <SUI-ADDRESS> --object-id <OBJECT-ID> --gas-budget <GAS-AMOUNT> --serialize-unsigned-transaction

Raw tx_bytes to execute: <TX_BYTES>
```

## Step 6: Sign the transaction with two keys

Use the following code sample to sign the transaction with two keys in `sui.keystore`. You can do this with other tools as long as you serialize it to `flag || sig || pk`.

```shell
sui keytool sign --address <SUI-ADDRESS> --data <TX_BYTES>

Raw tx_bytes to execute: <TX_BYTES>
Serialized signature (`flag || sig || pk` in Base64): $SIG_1

sui keytool sign --address <SUI-ADDRESS> --data <TX_BYTES>

Raw tx_bytes to execute: <TX_BYTES>
Serialized signature (`flag || sig || pk` in Base64): $SIG_2
```

## Step 7: Combine individual signatures into a multisig

This sample demonstrates how to combine the two signatures:

```shell
sui keytool multi-sig-combine-partial-sig --pks <PUBLIC-KEY-1> <PUBLIC-KEY-2> <PUBLIC-KEY-3> --weights 1 2 3 --threshold 3 --sigs <SIGNATURE-1> <SIGNATURE-2>

multisig address: <MULTISIG-ADDRESS> # Informational
multisig parsed: <HUMAN-READABLE-STRUCT> # Informational
multisig serialized: <SERIALIZED-MULTISIG>
```

You need only the signatures of the participating signers whose sum of weights `>=k`. You must provide all public keys and their weights, and the threshold that defined the multisig address.

## Step 8: Execute a transaction with multisig

Use `sui client` to execute a transaction using multisig:

```shell
sui client execute-signed-tx --tx-bytes <TX_BYTES> --signatures <SERIALIZED-MULTISIG>
```

## Related links

- [Multisig](../../../concepts/cryptography/transaction-auth/multisig.mdx): Definition of multisig transactions on the Sui network and how to use it with CLI.
- [Multisig Typescript SDK](https://sdk.mystenlabs.com/typescript/cryptography/multisig): How to create multisig addresses and sign transactions using the Sui SDK.